On 27/10/2015 21:21, Walter H. wrote: > On 26.10.2015 21:42, rosect190 at yahoo.com wrote: >> Hi, I need some help on this call. >> >> I am building an OCSP client following guide in openssl and compile >> the code in Cygwin environment. My openssl version is 1.0.1h. >> >> With HTTP based OCSP, the code works fine. But, with HTTPs, the code >> gets stuck at the call to OCSP_sendreq_bio(). Further debugging shows >> that OCSP_sendreq_nbio() does not return. >> >> Did I need to something extra to deal with HTTPs based connection? >> > OCSP must not be https ... > the same with CRL download ... Really, I thought that was only a recent cop out rule to cater to clients with inferior SSL libraries that can't handle the recursion. Of cause one should not initiate an HTTPS connection to a server to (directly or indirectly) validate the servers certificate for another such connection, but I know no inherent reason not to use HTTPS for CRL and OCSP access as long as infinite recursion is avoided, preferably through the choice of server certificates. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded
